This is a pretty standard infection chain for Locky right now. The malspam was sent out with the subject as “<no subject>” and there wasn’t any content written in the body. Attached to the email was a .zip folder called “20160922162033783339900.zip”. The first part of the string denotes today’s date. I’m not sure the significance, if any, of the end of the string.

Once the user opens the attachment they are presented with a oddly named JScript file. I’m hoping most user’s wouldn’t open this suspicious file but curiosity gets the better of people.

Once the JScript is opened and ran it makes a GET request for payloads from up to 3 different distribution sites located in an array. In my example there were two seperate GET requests made. The first distribution site (kothagudemtv[.]com) returned a 404 to my host.

The file was 1 KB in size was called DuINsSc1, “1” indicating that it was the first distribution site in the array. Since the first site failed to return the payload we see an additional GET request for the payload which was being hosted at paintingoregon[.]com.

The second GET request did successfully return the payload to my host which created both DuINsSc2 and DuINsSc2.dll in the user’s TEMP folder.

Once the 2nd file was received and executed the host made multiple post-infection POST requests to a C2 via a direct IP (51.254.108.40).

Once the files were encrypted ransom notes dropped on the Desktop and in folders containing encrypted files.

As always, I recommend blocking all the IPs in the IOCs section listed at the very top of this post.